gmonkey.gif (29622 bytes)

TARGET:         PE EXE/SCR & HTM FILES LAST SECTION INCREASE ...
-OS'S:            W32 COMPATABLE W95/98 NT4/5 & 2000 (NOT TESTED IN THE LAST OS'ES)
-MULTIPARTITE  YES (PE->HTM)
-RESIDENT: YES (RING0)
-STEALTH:  NO
-THREADS: NO (DUH?)
-FIBERS;  NO (..)
-KERNEL SEARCH: YES
-ENCRYPTED:     YES (VERY ENCRYPTED: POLY + two RDA layers )
-POLYMORPHIC:   YES ... LAME SLOW-POLY LAYER ... TO TIRED ... :DDDDDDDD
-ANTIDEBUGGER:  YES (HYPER-ANTI-DEBUG)
-ANTITRACE:     YES
-ANTIEMULATOR:  YES (HYPER-ANTI-EMUL)
-ANTIDISASM:    YES
-ANTIHEURISTIC: YES
-ANTIBAIT:      YES
-ERROR HANLING: YES (SEH)
-RETRO:         YES (BYE, BYE AV'S)
-COMPRESSION:   NO (FUCKED LZ ALGORITHM :/
-EPO:           NO
-ANTIWATCHDOGS: YES (AVPM,AMON & NAV)
-CHECKSUM:           NO (IN THE NEXT VERSION I WILL MEMORY-MAP THE FILES ;)

-OTHERS:      IS A VERY UNSTABLE VIRUS, IT WONT INFECT NTOSKRNL.EXE IN NT AND NOT HAVE
                    A BIG CHANCE TO SURVIVE IN THE WILD.
                    HD-SCANNER... ETC... A BIT (EJEHM... )'VERY' SLOW ....
-PAYLOAD:

THE 3 OF JULY IN DISPLAY A MESSAGE-BOX, THEN MAKE A GRAPH EFFECT (HI LJ'S)

WHEN AN INFECTED FILE IS RUN:

   - PUT A NEW SEH AND CAUSE ONE EXCEPTION, FOOLING APPLEVEL DEBUGGERZ AND EMULATORZ

   - PROCESS HIS POLYMORPHIC DECRYPTOR

   - PROCESS THE TWO RDA DECRYPTION ROUTINES

   - PROCESS MANY ANTI-EMULATION TRICKS:
     * STACK MANIPULATION
     * SELECTORS
     * FPU COMPROBATION
     * SELF MODIFIED CODE (INT 01H RULES)

   - ANTIDISASSEMBLER: USE SOME RANDOM DWORDS AFTER THE RET'S & JMP'S

   - PUT A NEW SEH

   - SEARCH THE KERNEL32 ADRESSES

   - SEARCH THE GetModuleHandle API IN ET

   - RETRIEVE THE NECESSARY APIS

   - CHECK CPU TYPE IF NOT MMX, RETURN TO HOST

   - CHECK A RANDOM VALUE IF 50% RETURN TO HOST, TO AVOID SLOWDOWN

   - PROCESS ANTIDEBUGGER PART:
     * IF W9.X DESTROY DEBUG REGS AND MAKE SHIT THE STACK
     * IF NT, USE THE IsDebuggerPresent API

   - SEARCH FILES IN WINDOWS,SYSTEM AND CURRENT DIR IF MINUTES  EQUAL TO 30 MAKE A RECURSIVE
     SEARCH IN THE DRIVES C,D,E,F,G, AND H.

   - INFECT FILES EXPANDING THE LAST SECTION AND MODIFING THE FUCKED ENTRYPOINT (AVP CATCH THIS)

   - INFECT WEBPAGES OVERWRITING THE FIRST BYTES WITH A CODE THAT DISABLE THE ACTIVEX
     PROTECTION (IM A LAMEEEERRRR!!!!!) (NOTE, ONLY IN NT)

   - MODIFY MIRC.INI FOR SEND A INFECTED CALC.EXE (YES NT ONLY... LAMER,LAMER,LAMER...)
     (ARGHHH! THE NT DIR ISNT C:\WINDOWS (SHIT, I'VE FOUND THE BUG WHILE WAS WRITING THIS)
     (...WICH IS THE DEFAULT NT DIR?...)

   - DELETE SOME AV CHECKSUMS AND DATABASES

   - DISABLE SOME RESIDENT SHIELDS

   - BEFORE TO RETURN TO THE HOST IF WE ARE IN W9X JUMP TO RING0 AND STAY RESIDENT
     HOOKING THE OPENFILE PROCEDURE AND STABLISH A COUNTAH IF THE NUMBER OF FILES OPENED
     REACH A RANDOM VALUE MAKE A BIOS & CMOS TRASHING... ALSO EVERY FILE OPENED WILL
     MODIFY THE DR3 REGISTER MAKING SOME DEBUGGERS VERY STONED (TRACING OROCHI UNDER TD32
     THE PROGRAM JUMP INCORRECTLY INTO THE OFFSETS AND HANG THE ENTIRE MACHINE...)

   - THE PAYLOAD SUCCEDED THE THIRD OF JULY.. SHOW THE TYPICAL MESSAGE-BOX AND PUT RANDOM
     BLACK SQUARE PIXELS.... INFINITE LOOP

    KNOW BUGS: THE VIRUS NOT MAKE ANY CHECKSUM CALCULATION BUT IT WORK IN NT BECOZ AVOID THE
    INFECTION OF THE NTOSKERNEL.EXE.....
 
 

   WHO IS OROCHI ???...     PLAY KOF97.... AND YOU WILL SEE...        YOURSELF.
 

Source